Change logs for rssh source package in Sid
-
rssh (2.3.4-12) unstable; urgency=high * The fix for the scp security vulnerability in 2.3.4-9 combined with the regression fix in 2.3.4-10 rejected the -pf and -pt options, which are sent by libssh2's scp support. Add support for those variants. (LP #1815935) -- Russ Allbery <email address hidden> Mon, 18 Feb 2019 18:58:27 -0800 -
rssh (2.3.4-11) unstable; urgency=high * The fix for the scp security vulneraability in 2.3.4-9 introduced a regression that blocked scp of multiple files from a server using rssh. Based on further analysis of scp's command-line parsing, relax the check to require the server command contain -f or -t, which should deactivate scp's support for remote files. (Closes: #921655) -- Russ Allbery <email address hidden> Sun, 10 Feb 2019 11:17:28 -0800 -
rssh (2.3.4-10) unstable; urgency=high * Also reject rsync --daemon and --config command-line options, which can be used to run arbitrary commands. Thanks, Nick Cleaton. (CVE-2019-3463) * Unset the HOME environment variable when running rsync to prevent popt (against which rsync is linked) from loading a ~/.popt configuration file, which can run arbitrary commands on the server or redefine command-line options to bypass argument checking. Thanks, Nick Cleaton. (CVE-2019-3463) * Do not stop checking the rsync command line at --, since this can be an argument to some other option and later arguments may still be interpreted as options. In the few cases where one needs to rsync to files named things like --rsh, the client can use ./--rsh instead. Thanks, Nick Cleaton. * Remove now-unused variables from the rsync validation patch. -- Russ Allbery <email address hidden> Sat, 02 Feb 2019 10:59:47 -0800 -
rssh (2.3.4-9) unstable; urgency=high [ Russ Allbery ] * Validate the allowed scp command line and only permit the flags used in server mode and only a single argument, to attempt to prevent use of ssh options to run arbitrary code on the server. This will break scp -3 to a system running rssh, which seems like an acceptable loss. (Closes: #919623, CVE-2019-1000018) * Tighten validation of the rsync command line to require --server be the first argument, which should prevent initiation of an outbound rsync command from the server, which in turn might allow execution of arbitrary code via ssh configuration similar to scp. * Add validation of the server command line after chroot when chroot is enabled. Prior to this change, dangerous argument filtering was not done when chroot was configured, allowing remote code execution inside the chroot in some configurations via the previous two bugs and via the mechanisms in CVE-2012-2251 and CVE-2012-2252. * Document that the cvs server-side dangerous option filtering is probably insufficient and should not be considered secure. * Remove ancient upgrade support in debian/postinst. * Remove debian/source/options, which was forcing compression to xz (now the default). * Update to debhelper compatibility level V12. * Update standards version to 4.3.0 (no changes required). [ Ondřej Nový ] * d/watch: Use https protocol -- Russ Allbery <email address hidden> Mon, 28 Jan 2019 21:03:59 -0800 -
rssh (2.3.4-8) unstable; urgency=medium * Update Vcs-Git and Vcs-Browser for the move to salsa.debian.org. * Use https URL for copyright-format 1.0. * Update standards version to 4.1.4 (no changes required). -- Russ Allbery <email address hidden> Sun, 22 Apr 2018 10:58:03 -0700
-
rssh (2.3.4-7) unstable; urgency=medium * Change the specified mode of conf_convert in the Debian patch to be 0644, since dpkg doesn't support modes the way that Git does and will ignore the mode anyway. This mismatch was breaking use of dgit for this package. -- Russ Allbery <email address hidden> Sat, 23 Dec 2017 20:13:24 -0800 -
rssh (2.3.4-6) unstable; urgency=medium * Add Rules-Requires-Root: no. * Update to debhelper compatibility level V11. - Remove now-useless build dependency on dh-autoreconf. * Clean up trailing whitespace in debian/changelog. * Update standards version to 4.1.2 (no changes required). -- Russ Allbery <email address hidden> Sun, 17 Dec 2017 16:21:18 -0800 -
rssh (2.3.4-5) unstable; urgency=medium * Enable all hardening flags. * Fix another spelling error in the rssh man page, caught by Lintian. * Translation updates: - Indonesian, thanks Izharul Haq. (Closes: #835621) * Switch to the DEP-14 branch layout and update debian/gbp.conf and Vcs-Git accordingly. * Run wrap-and-sort -ast on packaging files. * Switch to https for Vcs-Git and Vcs-Browser URLs. * Fix duplicate license clause in debian/copyright. * Update standards version to 3.9.8 (no changes required). -- Russ Allbery <email address hidden> Mon, 05 Sep 2016 15:39:58 -0700 -
rssh (2.3.4-4) unstable; urgency=low * Fix typo in the example mkchroot script that causes it to fail to copy the libnss compat modules. Patch from Jeremy Jongepier. (Closes: #729294) * This package is now maintained using gbp pq from git-buildpackage. Remove the TopGit glue and the obsolete README.source package and rename the patches based on the export convention of gbp pq. * Drop override to use xz compression for the binary package. This is now the default in dpkg-buildpackage. * Update standards version to 3.9.5 (no changes required). * Translation updates: - Portuguese (Brazilian), thanks Fernando Ike de Oliveira. (Closes: #723148) * Reformat translations with debconf-updatepo. Add some missing Language fields and update the Report-Msgid-Bugs-To address. -- Russ Allbery <email address hidden> Sat, 07 Dec 2013 19:18:35 -0800 -
rssh (2.3.4-3) unstable; urgency=low * Patch the upstream build system to honor CFLAGS and CPPFLAGS as passed to configure. This fixes use of hardening flags during the build. Thanks to Simon Ruderich for the patch. (Closes: #709941) -- Russ Allbery <email address hidden> Tue, 28 May 2013 14:37:10 -0700 -
rssh (2.3.4-2) unstable; urgency=low * Upload to unstable. * Fix implicit function declaration compiler warning from the svnserve patch. * Use xz compression for the Debian source and binary package. * Canonicalize the Vcs-Git and Vcs-Browser control fields. * Update standards version to 3.9.4 (no changes required). -- Russ Allbery <email address hidden> Sat, 11 May 2013 17:09:30 -0700 -
rssh (2.3.3-6) unstable; urgency=high * Fix several flaws in validation of rsync options. Ensure --server cannot be hidden from the server by putting it after -- or as the argument to another option. Verify that the -e option's value matches expectations rather than trying to look for invalid -e option values. (CVE-2012-2251) * Reject the rsync --rsh option even if it does not contain a trailing equal sign. (CVE-2012-2252) -- Russ Allbery <email address hidden> Thu, 22 Nov 2012 12:01:41 -0800 -
rssh (2.3.3-5) unstable; urgency=medium * Apply upstream patch to close security vulnerability that permitted clever manipulation of environment variables on the ssh command line to bypass rssh checking. (CVE-2012-3478) -- Russ Allbery <email address hidden> Fri, 10 Aug 2012 22:14:34 -0700 -
rssh (2.3.3-4) unstable; urgency=low * Force libexecdir to /usr/lib/rssh. This is not a library package and has no reason to be using the multiarch paths, but picked up the modification to libexecdir as a side effect of the debhelper compatibility level change. (Closes: #663011) -- Russ Allbery <email address hidden> Wed, 07 Mar 2012 16:07:37 -0800 -
rssh (2.3.3-3) unstable; urgency=low * Translation updates: - Danish, thanks Joe Dalton. (Closes: #659447) * Update debian/copyright to copyright-format 1.0. * Update standards version to 3.9.3 (no changes required). -- Russ Allbery <email address hidden> Sun, 04 Mar 2012 21:43:29 -0800 -
rssh (2.3.3-2) unstable; urgency=low * Update examples/mkchroot.sh to include libnss modules in a multiarch subdirectory of /lib if none exist directly in /lib. * Update to debhelper compatibility level V9. - Enable compiler hardening flags, including bindnow and PIE. (Closes: #654155) * Use dh-autoreconf to regenerate the Autotools build system rather than rolling our own equivalent. * Update standards version to 3.9.2 (no changes required). -- Russ Allbery <email address hidden> Sun, 05 Feb 2012 19:51:55 -0800 -
rssh (2.3.3-1) unstable; urgency=low * New upstream release. - Exit with non-zero status when fatal() is called. - Merges Debian fixes/config-parse-fatal, fixes/man-page-hyphen, and fixes/missing-config patches. * In the example mkchroot script, also check for and copy over the dependencies of any of the NSS libraries we copy over. This picks up the libnsl library, which is now required. Print out a warning that mkchroot doesn't copy over any of the libraries required for other supporting programs (rsync, etc.), only those for scp and sftp. (Closes: #611878) * Update debian/copyright to the current DEP-5 format. * Update to debhelper compatibility level V8. * Update to standards version 3.9.1 (no changes required). -- Russ Allbery <email address hidden> Mon, 28 Feb 2011 17:45:00 -0800
-
rssh (2.3.2-13) unstable; urgency=low * When allocating the buffer to tell a locked-out user what commands are supported, add an additional byte for the nul at the end of the string. (Closes: #601145) -- Russ Allbery <email address hidden> Wed, 10 Nov 2010 11:23:07 -0800 -
rssh (2.3.2-12) unstable; urgency=low * If parsing the configuration file fails, abort with an error rather than continuing on and applying the defaults, since the defaults may be wrong for the current user. Patch from Jon Barber. * Fix spelling error (seperate for separate) in rssh man page. * Remove version from openssh-server dependency since it was older than oldstable. * Update standards version to 3.9.0 (no changes required). -- Russ Allbery <email address hidden> Tue, 06 Jul 2010 18:07:47 -0700 -
rssh (2.3.2-11) unstable; urgency=low * Switch to 3.0 (quilt) source format. - Remove build dependency on quilt and debian/rules machinery. * Remove all of the files touched by autoreconf -i. * Remove Jesus Climent from uploaders. He hasn't had time to work on the package in a while. * Update standards version to 3.8.4 (no changes required). -- Russ Allbery <email address hidden> Mon, 29 Mar 2010 11:28:43 -0700 -
rssh (2.3.2-10) unstable; urgency=low * Update standards version 3.8.2 (no changes required). * Translation updates: - Czech, thanks Martin Šín. (Closes: #533389) - Russian, thanks Yuri Kozlov. (Closes: #537062) -- Russ Allbery <email address hidden> Sat, 18 Jul 2009 19:49:00 -0700 -
rssh (2.3.2-9) unstable; urgency=low * This package is now maintained using Git and TopGit. A quilt patch series is exported from TopGit branches for the final Debian package. Update debian/README.source, the Vcs-* control fields, and debian/rules accordingly. * Add support for svnserve (Subversion). This requires a change in the format of /etc/rssh.conf to add an additional binary digit to the permissions field. /etc/rssh.conf will be automatically updated as part of the package upgrade using /usr/share/rssh/conf_convert. Patch from Davide Scola. (Closes: #284756) * In mkchroot, also install /dev/zero in the chroot. Noted in an updated patch from Ross Davis sent to the rssh-discuss list. * Remove postrm script that removed rssh from /etc/shells. We do that in postinst on upgrade and have for some time, so this maintainer script was unnecessary. * Convert to the proposed new copyright format. * Swap Maintainer and Uploaders, making me the primary maintainer. I've done all of the recent uploads. * Update debhelper compatibility level to V7. - Use rule minimization with overrides. - Move install, examples, and manpage lists into separate files. - Add --enable-static if "static" is in DEB_CONFIGURE_OPTIONS rather than requiring the variable be set to exactly --enable-static. - Remove unnecessary debian/dirs. * Update standards version to 3.8.1 (no changes required). * Translation updates: - Spanish, thanks Francisco Javier Cuadrado. (Closes: #509356) -- Russ Allbery <email address hidden> Sat, 04 Apr 2009 15:41:07 -0700 -
rssh (2.3.2-8) unstable; urgency=low * The upstream mkchroot script uses echo -e, so make it a /bin/bash script, which is less invasive than rewriting all of the echo statements to printf. Thanks, Raphael Geissert. (Closes: #489653) * Update standards version to 3.8.0. - Add a README.source file pointing to the quilt documentation. -- Russ Allbery <email address hidden> Sun, 13 Jul 2008 13:09:38 -0700
